false positive for CRLF_INJECTION_LOGS

[geoHeil]

Even when setting

log4j.appender.console.layout=org.apache.log4j.PatternLayout
log4j.appender.console.layout.ConversionPattern=%d{HH:mm:ss.SSS} %marker [%t] %-5level %logger{36} - %encode{replace(%msg){'[\r\n]', ''}}%n

in log4j properties section as recommended by

Solution:
You can manually sanitize each parameter.

log.info("User " + val.replaceAll("[\r\n]","") + " (" + userAgent.replaceAll("[\r\n]","") + ") was not authenticated");
You can also configure your logger service to replace new line for all message events. Here is sample configuration for LogBack using the replace function.

%-5level - %replace(%msg){'[\r\n]', ''}%n
Finally, you can use a logger implementation that replace new line by spaces. The project OWASP Security Logging has an implementation for Logback and Log4j.

and additionally replacing the values:

logger.warn(s"some text ${someInteger.toString.replaceAll("[\r\n]", "")} more text")

I still keep getting CRLF_INJECTION_LOGS errors.

Note, I am using scala.

[h3xstream]

Once, you have configured LogBack, you need to disable the rule "CRLF_INJECTION_LOGS".
At the moment, Find Security Bugs is not able to analyze other files than the class files (spotbugs/spotbugs#186).